AWS Summit Paris - Keynote Slides

AWS Summit 2013Navigating the Cloud

AWS Summit, June 25th

Adam Selipsky, Vice-President, AWS

Networking Reception and Partner Expo

Breakout Tracks

9:00 - 11:00

Lunch and Partner Expo12:00 - 13:30

13:30 - 17:30

17:30 - 19:00

Bill Murray, General Manager, Security, AWS11:00 - 12:00

Gold Sponsors

Silver Sponsors

Visit our Partner & Solution Expo

Announcing: AWS French User Group

#awssummit

Join the Conversation

AWS Summit 2013Innovation Powered by the AWS Cloud

Adam SelipskyVice-President, AWS

7 Years YoungAmazon S3 launched: March 14th 2006

Broad & Deep Services to Support Virtually Any Cloud Workload

Compute NetworkingStorage &

CDNDatabase App Services Management

Amazon EC2

Amazon EMR

Amazon ELB

Amazon Route 53

Amazon VPC

AWS Direct Connect

Amazon S3

Amazon Glacier

Amazon EBS

AWS Import/Exp

Amazon RDS

Amazon DynamoDB

Amazon Elasticache

Amazon RedShift

Amazon CloudSearch

Amazon SWF

Amazon SQS

Amazon SNS

Amazon SES

Amazon Elastic Transcoder

AWS IAM

Amazon CloudWatch

AWS Elastic Beanstalk

AWS Cloudformation

AWS Data Pipeline

AWS OpsWorks

AWS CloudHSM

AWS Trusted Advisor

AWS Marketplace

AWS Premium Support

AWS Professional Services

AWS Training

2007 2008 2009 2010 2011 2012

159

82

6148

249

Including:

AWS Oregon Region

Elastic Beanstalk (Beta)

Amazon SES (Beta)

AWS CloudFormation

Amazon RDS for Oracle

AWS Direct Connect

AWS GovCloud (US)

Including:

Amazon SNS

Amazon CloudFront

Amazon Route 53

S3 Bucket Policies

RDS Multi-AZ Support

RDS Reserved Databases

AWS Import/Export

Including:

Amazon RDS

Amazon VPC

Amazon EMR

EC2 Auto Scaling

Including:

6 new Direct Connect Sites

DynamoDB

RDS in VPC

AWS Trusted Advisor

CloudFormation in VPC

AWS Storage Gateway

Amazon Glacier

Cost Allocation Tagging

CloudFront Live Streaming

Amazon CloudSearch

AWS Marketplace

Red Hat Reserved Instances

New EC2 Instance Types

Multi-AZ Oracle RDS

RDS SQL Server

EC2 RI Marketplace

AWS Service Launches & Feature Updates

January February March

2118

14Including:

AWS Management Console Tablet and Mobile Support

Elastic Transcoder

Price reduction for Amazon EC2, global expansion of M3 Standard

Instances, and reduced data transfer pricing.

Including:

Amazon Redshift Available to All Customers

AWS OpsWorks

IAM Role and Auto Scaling Support for Amazon CloudWatch Monitoring

Scripts for Linux

Amazon SQS and SNS Announce Lower Prices and Expanded Free Tiers - 50% price drop for SQS

Including:

New Lower Pricing for Amazon EC2 Reserved Instances

AWS Free Usage Tier Now Includes Amazon ElastiCache

Amazon DynamoDB Reduces Prices

AWS Elastic Beanstalk for Node.js

Amazon RDS now supports 3TB and 30,000 Provisioned IOPS per database

instance

Announcing EBS-Optimized Support for Additional Instance Types

53 AWS Service Launches & Feature Updates this year

AWS Global Infrastructure

9 regions

25 availability zones

38 edge locations

$5.2B retail business

7,800 employees

A whole lot of servers

2003

2012

Every day, AWS adds

enough server capacity to power this

$5B enterprise

$5.2B retail business

7,800 employees

A whole lot of servers

2003

Hundreds of Thousands of Customers in 190 Countries

Free steak campaign

Facebook page

Mars exploration ops

Consumer social app

Ticket pricing optimization

SAP & Sharepoint

Securities Trading Data Archiving

Gene sequencing

Marketing web site

Interactive TV apps

Financial markets analytics

R&D data analysis

Consumer social app

Big data analytics

Web site & media sharing

Disaster recovery

Media streaming

Web and mobile apps

Streaming webcasts

Facebook app

Consumer social app

Every Imaginable Use Case

Comprehensive Security Capabilities to Support Virtually Any Workload

VPC

Direct connect

Dedicated instances

Identity & Access Management

S3 Encryption

Security groups for EC2 and VPC

Network ACL

Multi-Factor Authentication

CloudHSM

RDS Oracle transparent encryption

Certifications & Accreditations for Workloads that Matter

“Amazon Virtual Private

Cloud offers an additional

level of security and an

ability to integrate with

other aspects of our

infrastructure.”

Dr. Michael Miller, Head of HPC for R&D

35 Price

Reductions

Since 2006

The AWS Price Reduction Philosophy

Ecosystem

Global Footprint

New Features

New ServicesInfrastructure Innovation

More AWS Usage

More Infrastructure

Economies of Scale

Lower Infrastructure

Costs

Reduced Prices

More Customers

AWS Trusted Advisor

Cost optimizations

Security & Availability checks

Performance

recommendations

329,000 recommendations

$22M in annualized savings

To: AWS Customer

From: Amazon Web Services

Subject: Potential Cost Savings

Dear Customer,We have identified $49,000 of potential savings in your current AWS deployment.

-Amazon Web Services

To: AWS Customer





To: AWS Customer





Obsessed with Helping Customers Save Money

Thriving Partner Ecosystem

Consulting Partners Technology Partners

AWS Marketplace: Buy Software Pre-Configured to Run on AWS

Growth since Jan 1, 2013

25 categories

778 product listings

Active customers

Usage per customer

102%

53%

Why are customers adopting cloud computing?

1. Trade Capital Expense for Variable Expense

On-Premises

$0 to get started

Pay as you goSource: IDC Whitepaper, sponsored by

Amazon, “The Business Value of Amazon Web Services Accelerates Over Time.”

July 2012

Average of 400 servers replaced

per customer

2. Lower Variable Expense Than Companies Can Do Themselves

Source: IDC Whitepaper, sponsored by Amazon, “The Business Value of Amazon Web Services Accelerates Over Time.” July 2012

70% lower 5 year TCO per app

AWS

On-premises

$3.01M

$0.90M

50% reduction in analytics costs

Saved $34M on SmartHub app

$3M reduction in hosting costs

3. You Don’t Need to Guess Capacity

Self Hosting

Waste

Customer

Dissatisfactio

n

Actual demand

Predicted Demand

Rigid

Actual demand

Elastic

The Cloud

4. Dramatically Increase Speed & Agility

Old World: Infrastructure in Weeks

4. Dramatically Increase Speed & Agility

Add New Dev Environment

Add New Production Environment

Add New Environment in Japan

Add 1,000 Servers

Remove 1,000 servers

Number of Instances 1,000

Instance Type M3 Extra Large

Availability Zone US-West-2b

Launch

aws.amazon.com/managementconsole

AWS: Infrastructure in MinutesOld World: Infrastructure in Weeks

“We reduced application deployment times from 2

months to 3 days.”

“Time to deploy went from weeks to hours.”

Source: IDC Whitepaper, sponsored by Amazon, “The Business Value of Amazon Web Services Accelerates Over Time.” July 2012

Overall

Deployment

Integration

Testing

Development

0

100%

200%

300%

400%

500%

600%

Imp

roved

Eff

icie

ncy

Comparison of developer efficiency with AWS and in-house alternatives

5X Faster

Increase Innovation When Experimentation Is Fast and Low Risk

Old world: AWS:

Experiment infrequently

Failure is expensive

Less innovation

Near $0 Experiment often

Fail quickly at a low cost

More innovation

Thierry de ValloisDirector of Technology

/ Utilisations du Cloud Computing dans le cadre du Réseau Ferré National

Sujets de la présentation

Faciliter la connaissance par le grand public de nos projets ferroviaires grâce à la cartographie

Réaliser ponctuellement un grand nombre de calculs à un coût accessible dans un temps raisonnable

Utilisations du Cloud Computing dans le cadre du Réseau Ferré National

La naissancedu projet

Chapitre 1


Une idée chemine au sein de nos équipes

Une mission de RFFnFaciliter l’accès aux propositions de tracés d’un grand projet ferroviaire aux différentes étapes de la

consultation

Une ciblenLe Grand Public

Les contributeurs internesnL’équipe métier en charge du projetnLe géomaticien régionalnL’équipe SI en charge de l’offre cartographiquenL’équipe SI en charge de l’innovation

Des échanges à l’origine d’une idéenOffrir sur le site internet du projet la possibilité

de naviguer dans nos données cartographiques


La déclinaison du besoin

Les données à présenternLes données décrivant l’environnement :

⎯carte de la France entière : routes et photosnLes données RFF

⎯Le réseau existant⎯Le projet : tracés, photos aériennes le long du tracé

Les fonctions à offrirnSe localiser nSe déplacer sur la cartenZoomernAfficher, masquer des données


D’une idéeà

Un service

Chapitre 2


Une proposition d’expérimentation

L’équipe innovation SI propose l’essai du Cloud

Le service de fourniture de données d’arrière-plan

Offre de services BingMap

Le service de recherche d’une localisation Offre de services BingMap

Le service de fourniture des données RFF de type vecteur

Offre IAAS de AWS supportant une solution ARCGIS SERVER de l’éditeur ESRI

Le service de fourniture des données RFF de type image

Offre de stockage d’AWS

Le service de restitution à l’utilisateur final Solution 1 : Développement sur la base du client javascript de la société ESRI

Solution 2 (retenue): Développement sur la base du client javascript de la société Microsoft


Convaincre en interne pour lancer le projet

Le DSI

Le RSSI L’architecte

Le responsable de la production


Des exigences inhabituelles

Le publicnLes internautes et non des utilisateurs identifiés de notre SI

disponibiliténLe service fonctionne en mode 24h/24 et 7j/7nUne sensibilité très forte dans la semaine qui suit la publication de nouvelles données

La sollicitationnLa capacité à absorber de forts pics de charge sur de courtes périodes

L’ergonomienIntuitive et fluide (similaire à notre expérience sur Internet)

Le déploiementnLa capacité de déployer rapidement le service pour tous les projets RFF qui en ont besoin


Situation deux ans après l’expérimentation

LES SITES EN PRODUCTIONnNotre site institutionnelnUn site projet

LES SITES PREVUSnMise en production d’un site projet pour juillet 2013 avec orthophotos

nDéploiement d’une carte interactive analogue sur 7 autres sites de grands projets d’ici fin 2013


Développementen cours

d’un nouvelusage

Chapitre 3


Besoins de capacités de calculs

Le problèmenEffectuer un calcul d’itinéraire sur le réseau ferré pour tous les trains prévus sur un an environ

4 fois par an

Les dimensions du problèmes nConnaître le descriptif de l’infrastructure ferroviaire et ses évolutions jour par jour sur la

période de calculnEffectuer environ 6 000 000 de calculs d’itinéraires


Plus vite, sans investir

Le recours au Cloud :nLa disponibilité de n serveurs pour distribuer les calculsnUn coût fonction juste du temps de calcul nPas d’investissements pour une infrastructure temporaire

Situation des résultats obtenus :n12 heures sur 10 serveurs au lieu de 4 jours sur un seulnUne facture de 100 $ pour 6 000 000 de calculs

Retour d’expérience :nAdapter non seulement sa gestion de production informatique, mais aussi ses techniques de

développement


A bientôtSur nos lignes

/ Titre de la présentation

Merci!

5. Stop Spending Money on Undifferentiated Heavy Lifting

buy and install new hardware

set up and configure new software

build new data centers

so you don’t have to...

Data Centers

Power

Cooling

Cabling

Networking

Racks

Servers

Storage

Labor

We take care of...

6. Go Global in Minutes

The Benefits of Cloud Computing

✔ ✔ ✔ ✔ ✔

Replace CapEx with

OpEx

Lower Overall Costs

No More Guessing Capacity

Agility / Speed /

InnovationShift Focus to Differentiation

Go Global in Minutes

✔

Pierre-Alexandre StanislasChief Technology Officer

Présenta)on de Millésima•Négociant en vin fondé en 1983, basé à Bordeaux• 2 500 000 bouteilles en stock• 70 000 clients par)culiers livrés dans 120 pays• CA 40 M€•Mul)canal• Panier moyen de 2000€• Premier site e-‐commerce en 1999

Oops! My Mistake...• Lancement d'un site Magento USA fin 2009•DIY• Trés bon ROI• Rm -‐rf /•Get a team

Let's get serious• Bascule de nos 14 sites sous Magento début 2010•Hébergeur physique "spécialisé"• Contrat de 3 ans• Catastrophe: Don't get Married in Vegas!

Efficiency•Hébergeur de renommée interna)onale• Trés gros Hardware & equipes qualifiées• Tenta)ve de Hack et choix Cornélien!• Toujours pas adapté à nos besoins

Test and Learn•Début 2012 le web fait 60% du CA et 80% des nouveaux clients• Et le Cloud? Pourquoi pas mes lequel?• Test de 2 "grands" Cloud• Test de l'infogérance•And the Winners are...

AWS + eNovance• Scalabilité : Hardware à la demande• Préproduc)on === Produc)on• Facture plus légère• Support devops 24/7 en Français• Plus de sueurs froide aux annonces du Marke)ng •Don’t Worry be Happy!

Merci!

AWS Adoption in the Enterprise

Enterprises are Adopting AWS to Achieve the Benefits of the Cloud

✔ ✔ ✔ ✔ ✔ ✔

Replace CapEx with

OpEx

Lower Overall Costs


Agility / Speed /



The Benefits Of The Cloud Are Only Possible IN THE CLOUD

“Private” Cloud x x x xx x

✔ ✔ ✔ ✔ ✔ ✔

Replace CapEx with

OpEx

Lower Overall Costs


Agility / Speed /



Forrester Foresights Survey Data , Q3 2012

Self-service Portals

24%

Resource Automation

27%

Resource Tracking

29%

Cost Chargeback

14%

Customers are Struggling to Deliver on Promises of the “Private Cloud” Vendors

Have you implemented these cloud features?

Many Enterprises Worry that These are the Only Two Choices

Build a “private” cloud

Rip and replace with AWS

#1 #2

The Good News is that the Cloud isn’t an ‘All or Nothing’ Choice

Corporate

Data Centers

On-Premises Resources

Cloud Resources

Seamless Integration

Active Directory

Network Configuration

Encryption

Back-up Appliances

Users & Access Rules

Your Private Network

HSM Appliance

Cloud back-ups

AWS Direct Connect

Your On-

Premise AppsYour Cloud

Apps

Integrating AWS with Your Existing On-Premises Infrastructure

Corporate Data Centers

Schneider Electric Delivers Apps Globally with AWS

Our Ecosystem Allows You to Use Your Existing Management Tools

Single Pane of Glass

On-Premises Datacenters

Management Tool Partners

How Enterprises Are Using AWS

Strategy 1: Cloud for Development & Test Environments

SAP

Reduced deployment time from weeks to days

Oracle Enterprise Applications

Reduced dev & test environment costs

SAP

70% reduction in operational costs

Strategy 2: Build New Apps for the Cloud

Faster to build

Facebook App

Global Web Sites

Mobile Streaming

Social Games

Consumer apps

Genetic Sequencing

Marketing Campaigns

Less expensive to run

Distributed architectures for high availability

Easier to manage

Financial record archiving

Canal+ Runs Key Customer Apps on AWS

Le Grand Journal iPad App

Analytics

Backup

Storage Gateway

Elastic Map Reduce

RedShift

Amazon S3

Strategy 3: Use Cloud to Make Existing On-Premises Apps Better

...


App 1

App 2

App N

Strategy 4: New Apps Powered by Both Cloud & On-Premises Resources

AWS serves up application content

& data

Integration back to Samsung data

centers for financial transactions


Hybrid App

Le Figaro Powers its iOS & Android Apps with AWS

Strategy 5: Migrate Existing Enterprise Apps to the Cloud

1/3 of servers migrated to AWS

Customer payments, content delivery & web sites

1 - 1.5M GBP saved in last 2 years

Expects to save additional 3M GBP in the next 3 years as they move to 75% AWS

App


Sean BurkeChief Technology Officer

Profile 2012

World leader in building materials

Major player in the cement, aggregates and concrete industries

We contribute to the construction of cities throughout the world with innovative solutions, providing cities with more housing, and make them more compact, more durable, more beautiful and better connected

Operating in 64 countries

65,000 employees

€15.8 billion of annual sales

1,570 production sites

Listed on the Paris Stock Exchange

74

Presentation name or chapter Date |

A well-balanced geographical portfolio

75

North America

€3,375m 8,821

Latin America

€961m 2,609

Middle East and Africa

€4,283m 19,644

Western Europe

€3,181m 11,448

Central and Eastern Europe

€1,270m 7,041

Asia

€2,746m 14,774

Annual sales Employees

|Building Better Cities| |May 2013|

Our markets

76

HOUSING ROADS

RAILWAYS BRIDGES

INFRASTRUCTURE PRIVATE/PUBLIC BUILDINGS

On all these markets, we provide innovative and environmentally-friendly solutions.

§The State of Global Economy§Long Term Stagnation in the Developed World§Rapid Growth in the Developing World (BRICs, etc)

§Lafarge’s Financial Position§High Level of Indebtedness post ORASCOM in 2008 ( €17 bn in 2008) §Share Price Collapse and down grading to “Junk” status

Economic Context

Architectural Context

Technology Debt§Hardware…..Long term under-investment§Software….Too many legacy versions in production

Lack of consistent architecture§Data Centres…. Too many§Software…. Too much

Lack of business confidence §Failure of services during critical business periods

Strategic Directions

§Consolidate and decommission where we can ( Create critical mass )

§Lease don’t buy (CAPEX to OPEX)

§Move to the cloud ( Pay for use )

§Partner ( Share risk )

79

CTO Vision Simplified

Physical Infrastructure (Data Centres, Networks)

Logical Infrastructure (Middleware, Identity and Access Management, DB’s)

Application Bricks

Security

Governance

CTO Vision

Security

Governance

Physical Infrastructure

Middleware ( OS’s, DB’s, etc)

Identity Management and Access Rights Management Service ( Employee Provisioning )

Employee ID

In House DC Public Cloud Private

( On / Off Premise)

ERP (Test)

ERP (Dev)

ERP (Prod)

HRIS

Email Social Net-

working

Content Manage-

ment

CRM Internet,

Intranet (Portals,

etc)

Consistent Management Tools

Consistent User Experience

Lafarge’s AWS Experience§ Initiative driven by:§ stability problems created by ageing hardware platforms § lack of bandwidth during the DC consolidation

§Group Institutional Sites migrated during 2010 and 2011§ ROI under 3 months§ Mirroring in place for key sites

§Group Internet Sites migrated during 2012§ ROI under 12 months§ Permanent VPN in place betz

§Circa 50 VMs in production

§Key Success Factors § Partnership and technical support from Edifixio§ Clarity of Roles and Responsibilities

§Future Plans§ Platform modernisation with migration from Websphere to Drupal

82

Thank You!

83

Strategy 6: All-in

10,000s of EC2 instances in multiple regions & zones

100s of middle tier services & applications

~70 billion events per day

At peak consumes 1/3 of US Internet bandwidth

What have we been working on?

Compute Services

Amazon EC2

Auto Scaling

Amazon Elastic Load Balancing

Actual

EC2

Linux

Windows

Hi I/O instances

Reserved Instance

Marketplace

Next gen standard

instances

EC2

EC2

EC2

EC2 A

EC2 B

EC2 CElastic load

balancer

Total Amazon Elastic Map Reduce (EMR) Clusters Launched by Customers

0

1,500,000

3,000,000

4,500,000

6,000,000

5/22/2010

7/3/2010

8/14/2010

9/25/2010

11/6/2010

12/18/2010

1/29/2011

3/12/2011

4/23/2011

6/4/2011

7/16/2011

8/27/2011

10/8/2011

11/19/2011

12/31/2011

2/11/2012

3/24/2012

5/5/2012

6/16/2012

7/28/2012

9/8/2012

10/20/2012

12/01/2012

1/12/2013

2/23/2013

4/6/2013

5.5 M clusters launched since May 2010

Amazon VPC

EC2 EC2

EC2EC2

Amazon Route 53

Availability Zone B

Availability Zone A

AWS Direct Connect

Los AngelesSingapore

JapanLondon

Sao PaoloNew YorkSydney

AWS Networking Services

Amazon S3 AWS Storage Gateway Amazon EBS

images

videosfiles

binariessnapshots

S3EC2

EBS

Your datacenter

compute

storage

Provisioned IOPS

images

videosfiles

binariessnapshots

Amazon Glacier

Storage Services

Easily archive files from on-premises or directly from Amazon S3

$0.01 per GB per month

Designed for 11 9s of durability, just like Amazon S3Amazon Glacier

images

videosfiles

binariessnapshots

S3

NAS

Amazon Glacier

Q4 2006

Q1 2007

Q2 2007

Q3 2007

Q4 2007

Q1 2008

Q2 2008

Q3 2008

Q4 2008

Q1 2009

Q2 2009

Q3 2009

Q4 2009

Q1 2010

Q2 2010

Q3 2010

Q4 2010

Q1 2011

Q2 2011

Q3 2011

Q4 2011

Q1 2012

Q2 2012

Q3 2012

Q4 2012

Q1 2013

1,100,000 Million peak requests/sec

Amazon S3: Over 2 Trillion Total Objects

Database Services

Amazon DynamoDB

Amazon RDS

AWS ElastiCache

NoSQLSQL

MySQL

Oracle

MS SQL Server

0 0 0 0 0 0 0

IOPS0 0 0 0 0 0 0

IOPS

EC2web server

memcached cluster

database

Amazon RedShift

BI Tools

S3

Node

Node

Node

Data warehouse as a service

Scale from hundreds of gigabytes to a petabyte or more

Use your existing SQL-based tools

Pay as you go

$999/TB/Year

10GigE (HPC)

Amazon S3

Ingestion Backup Restore

Node Node

Node

Node

Standard BI Tools

JDBC/ODBC

Amazon RedShift

Amazon CloudFront

Amazon CloudSearch

Amazon SES

Amazon Simple Workflow

Amazon SQS

Amazon SNS

HTTP

Email

SMS

ABCDEF

Amazon Elastic MapReduce

AWS Application Services

AWS Management Console

Amazon CloudWatch

AWS IAM

EC2 EBS

RDS ELBUsers

Roles

Access

Permissions

AWS Elastic Beanstalk

AWS CloudFormation

Java

PHP

Python

.NET

Ruby

Web App

SharePoint

SAP

Deployment & Administration

Integrated application management solution for ops-minded developers and IT admins

Model, control and automate applications of nearly any scale and complexity

Management Console, SDKs, or CLI

No additional cost

AWS OpsWorks

AWS CloudHSM

Dedicated access to HSM appliances managed & monitored by AWS, but you control the keys

Increase performance for applications that use HSMs for key storage or encryption

Comply with stringent regulatory and contractual requirements for key protection

EC2 Instance

AWS CloudHSM

AWS CloudHSM

How to choose a cloud vendor

Thank You!

Gold Sponsors

Silver Sponsors


AWS Summit 2013Innovation Powered by the AWS Cloud

Bill MurrayGeneral Manager, Security, AWS

Cloud Security is:

•Universal

•Visible

•Auditable

•Transparent

•Shared

•Familiar

Universal Cloud Security

Every Customer Has Access to the Same Security Capabilities, and

Gets to Choose What’s Right for Their Business

•Governments

•Financial Sector

•Pharmaceuticals

•Entertainment

•Start-Ups

•Social Media

•Home Users

AWS allows you to see your entire infrastructure at the click of a mouse. Can you map your current network?

Visible Cloud Security

ThisOr

This?

Auditable Cloud Security

How do you know AWS is right for your business?

3rd Party Audits•Independent auditors

Artifacts•Plans, Policies and Procedures

Logs•Obtained•Retained•Analyzed

Transparent Cloud Security

Choose the audit/certification that’s right for you:

•ISO-27001

•SOC-1, SOC-2

•FedRAMP

•PCI

Control Objective 1: Security Organization

•Who we are

•Proper control & access within the organization

Control Objective 2: Amazon User Access

•How we vet our staff

•Minimization of access

Security & Compliance Control Objectives

Control Objective 3: Logical Security

•Our staff start with no systems access

•Need-based access grants

•Rigorous systems separation

•Systems access grants regularly re-evaluated & automatically revoked


Control Objective 4: Secure Data Handling

•Storage media destroyed before being permitted outside our datacenters

•Media destruction consistent with US Dept. of Defense Directive 5220.22

Control Objective 5: Physical Security and Environmental Safeguards

•Keeping our facilities safe

•Maintaining the physical operating parameters of our datacenters


Control Objective 6: Change Management

•Continuous Operation

Control Objective 7: Data Integrity, Availability and Redundancy

•Ensuring your data remains safe, intact & available

Control Objective 8: Incident Handling

•Processes & procedures for mitigating and managing potential issues


•Let AWS do the heavy lifting

•This is what we do – and we do it all the time

•As the AWS customer you can focus on your business and not be distracted by the muck

Shared Responsibility

AWS

•Facilities

•Physical Security

•Physical Infrastructure

•Network Infrastructure

•Virtualization Infrastructure

Customer

•Choice of Guest OS

•Application Configuration Options

•Account Management flexibility

•Security Groups

•Network ACLs

•Large non-descript facilities

•Robust perimeter controls

•2 factor authentication for entry

•Controlled, need-based access for AWS employees

•All access is logged and reviewed

Physical Security

Asia%Pacific%(Sydney)%

Physical Security

Distributed Regions – Multiple Availability Zones

Network Security

•DDoS attacks defended at the border

•Man in the Middle attacks

•SSL endpoints

•IP Spoofing prohibited

•Port scanning prohibited

•Packet Sniffing prevented

Amazon EC2 Security

Host operating system•Individual SSH keyed logins via bastion host for AWS admins•All accesses logged and audited

Guest operating system•Customer controlled at root level•AWS admins cannot log in•Customer-generated keypairs

Stateful firewall•Mandatory inbound firewall, default deny mode

Signed API calls•Require X.509 certificate or customer’s secret AWS key

Amazon Virtual Private Cloud (VPC)

•Create a logically isolated environment in Amazon’s highly scalable infrastructure

•Specify your private IP address range into one or more public or private subnets

•Control inbound and outbound access to and from individual subnets using

stateless Network Access Control Lists

•Protect your Instances with stateful filters for inbound and outbound traffic using

Security Groups

•Bridge your VPC and your onsite IT infrastructure with an industry standard

encrypted VPN connection and/or AWS Direct Connect

Amazon Virtual Private Cloud (VPC)

Customer’s*Network*

Amazon*Web*Services*Cloud*

Secure&VPN&Connec-on&over&the&Internet&

Subnets(

Customer’s*isolated*AWS*resources*

Amazon VPC Architecture

Router(

VPN(Gateway(!Internet!

NAT(

AWS&Direct&Connect&–&Dedicated&Path/Bandwidth&

Amazon VPC - Dedicated Instances

•Option to ensure physical hosts are not shared with other customers

•$10/hr flat fee per Region + small hourly charge

•Can identify specific Instances as dedicated

•Optionally configure entire VPC as dedicated

Customers have requirements that require them to use specific encryption key management procedures not previously possible on AWS

•Requirements are based on contractual or regulatory mandates for keeping encryption keys stored in a specific manner or with specific access controls

•Good key management is critical

Customers want to run applications and store data in AWS but previously had to retain keys in HSMs in on-premises datacenters

•Applications may slow down due to network latency

•Requires several DCs to provide high availability, disaster recovery and durability of keys

Customer Challenge: Encryption

•AWS offers several data protection mechanisms including access control,

encryption, etc.

•AWS CloudHSM complements existing AWS data protection and encryption

solutions

•With AWS CloudHSM customers can:

•Encrypt data inside AWS

•Store keys in AWS within a Hardware Security Module

•Decide how to encrypt data – the AWS CloudHSM implements cryptographic functions

and key storage for customer applications

•Use third party validated hardware for key storage

AWS Data Protection Solutions

What is AWS CloudHSM?

•Customers receive dedicated access to HSM appliances

•HSMs are physically located in AWS datacenters – in close network

proximity to Amazon EC2 instances

•Physically managed and monitored by AWS, but customers control their

own keys

•HSMs are inside customer’s VPC – dedicated to the customer and isolated

from the rest of the network

AWS CloudHSM

AWS CloudHSM Service Highlights

•Secure Key Storage – customers retain control of their own keys and

cryptographic operations on the HSM

•Contractual and Regulatory Compliance – helps customers comply with the

most stringent regulatory and contractual requirements for key protection

•Reliable and Durable Key Storage – AWS CloudHSMs are located in multiple

Availability Zones and Regions to help customers build highly available

applications that require secure key storage

•Simple and Secure Connectivity – AWS CloudHSMs are in the customer’s VPC

•Better Application Performance – reduce network latency and increase the

performance of AWS applications that use HSMs

AWS Deployment Models

Logical Server and Application Isolation

Granular Information Access Policy

Logical Network Isolation

Physical server Isolation

Government Only Physical Network and Facility Isolation

ITAR Compliant(US Persons Only)

Sample Workloads

Commercial Cloud ü ü Public facing apps. Web sites, Dev test etc.

Virtual Private Cloud (VPC)

ü ü ü ü Data Center extension, TIC environment, email, FISMA low and Moderate

AWS GovCloud (US) ü ü ü ü ü ü US Persons Compliant and Government Specific Apps.

Everything You Do Now Can Be Done in the Cloud

•Intrusion Detection

•Intrusion Prevention

•Packet Capture

•Firewalls

•Access Control Lists

•Multi-Factor Authentication

•Identity and Access Management

Familiar Cloud Security

AWS Security Resources

•http://aws.amazon.com/security/

•Security Whitepaper

•Risk and Compliance Whitepaper

•Regularly Updated

•Feedback is welcome

Thank You!

Gold Sponsors

Silver Sponsors


AWS Summit Paris - Keynote Slides

Technology

Transcript of AWS Summit Paris - Keynote Slides